Updating Reply Attributes in authenticate section
Matthew Ceroni
matthewceroni at gmail.com
Wed May 1 23:52:49 CEST 2013
In my authorize section I am matching LDAP groups to set VLAN attributes as
such:
if (Ldap-Group == "netCoreClass-IT") {
update reply {
Tunnel-Private-Group-Id:1 := 102
}
}
elsif (Ldap-Group == "netCoreClass-engineering") {
update reply {
Tunnel-Private-Group-Id:1 := 112
}
}
elsif (Ldap-Group == "netCoreClass-sales") {
update reply {
Tunnel-Private-Group-Id:1 := 116
}
}
elsif (Ldap-Group == "netCoreClass-HR_Facility") {
update reply {
Tunnel-Private-Group-Id:1 := 120
}
}
elsif (Ldap-Group == "netCoreClass-finance") {
update reply {
Tunnel-Private-Group-Id:1 := 124
}
}
Authentication is against Active Directory. So while a user may get
assigned to a VLAN based of their group membership, if they fail to
actually authenticate I want to change what VLAN they are assigned to (want
to put them into a guest VLAN).
How can I update reply attributes further down the chain?
The reason I am doing this is I have an old Cisco wireless LAN controller
that can't fall back to MAC 802.1x authentication. Therefore if a user
fails with their credentials they fail to authenticate all together. So
when coming from the wireless LAN controller I want always Accept.
I tried putting the following in the users file:
DEFAULT Called-Station-Id == "e8-40-40-cd-d6-10:sid_802"
Tunnel-Type:1 = 13,
Tunnel-Medium-Type:1 = 6,
Tunnel-Private-Group-Id:1 = 104
Which accomplishes that radius never rejects even on a failed
authentication, but the Tunnel-Private-Group:Id:1 doesn't get modified from
what was set in the authorize section.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130501/452b2d83/attachment.html>
More information about the Freeradius-Users
mailing list